New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Forward secrecy (and forward anonymity) #73
Comments
Why not hand out one-time-pads to new users :P |
Alexander Bothe:
Because we are not building yet another toy for crypto people. |
Also, I fail to see what this has to do with forward secrecy. |
It was just a humorous interjection, nothing actually constructive :) |
Forward secrecy unfortunately complicates handling of multiple devices a lot. That means we should consider how we can implement our ideas for updating keys (c.f. #72) in a multi-device setup. The TextSecure protocol manages to combine both features, but I don't see that their solution can be used in Qabel's drop-server design. |
Perhaps a temporary solution for sharing/distributing keys etc could be found in using Sync. |
If we use the noise protocol, we only need to share ephemeral encryption keys. IMO TextSecures method could be used by using a file on the storage as a "key server": To reduce the number of keys on the "key server" <#encryptedMessagesToMe we could implement the chain-key approach from TextSecure. The usage of ECC would save storage space and the chain-key approach only works with EC keys. Edit: the chain-key approach works with DH, but not with RSA. |
@roeslpa good idea. Did you guys discussed this? An update of this issue would be nice if possible. |
@thechauffeur The guys discussed this and came to the conclusion that we redesign the crypto, switching to a crypto protocol called noise https://github.com/trevp/noise/wiki which @schulze mentioned in #72 |
Yep that's right, but since noise doesn't serve full forward secrecy, I will think about the approach of TextSecures axolotl and how we could use it. I will update this when I have a usable concept. |
I thought about this for a while but I do not have a solution yet. Of course axolotl is the best choice to implement forward secrecy as it is wanted, but there is one problem: If we leave out the ephemeral keys for initial contact I would say: IMHO we should use axolotl, but I am not convinced by the ideas of distributing ephemeral keys and I don't know what your opinion is about "breaking" the protocol. I did not find the way TextSecure is handling/planning to handle it. What do you say, @schulze @L-Henke ? |
I was looking at this again from a more abstract perspective: if we use axolotl (~if we want real forward secrecy), each device has to have its own key, so each message needs be sent to all own devices and all devices of the receiver. Result: |
What about serving an extra drop channel that protects contents via PFS (Perfect Forward Secrecy cough)? This might be a good compromise between not letting the 'normal' traffic exhaust hardware resources and having PFS somewhere in Qabel. Additionally, public relation folks can still claim that Qabel provides PFS :D |
Forward secrecy isn't a problem with respect to hardware resources or something like that. I would just make the protocol and key management more complicated. I think it is a key design goal, that modules don't need to implement their own crypto and that module developers don't need to make decisions about which crypto provider to use. I still think that in the long run we should do something like what you suggested. E.g. the core could provide an API to create OTR/axolotl sessions for synchronous forward secure communications for modules that have a concept of a session. But that shouldn't be a priority right now :) |
So the result is: |
@schulze you want to write a wrap-up and close this. |
@schulze what is the status of this? |
Noise provides Forward Secrecy (not Perfect, though..but that's okay, imho), so this issue is obsolete |
No. (I will write something after lunch :-) ) |
I just thought because Noise uses temporary keys which are used one time only, it has some sort of forward secrecy. |
Basically. Noise Boxes provide Sender forward secrecy: The sender can't decrypt boxes once they are encrypted, thus after compromise of the private key an attacker also can decrypt these messages. The same does not hold for received messages: If your private key gets compromised an attacker can decrypt all messages send to you in the past and in the future.
The word "perfect" in the context of forward secrecy is subtle, problematic and probably useless. "Perfect" has a very specific meaning in the context of Shannon's theory of information-theoretic cryptography. In the context of forward secrecy it was meant to have a similar meaning, but the meaning is probably very different from what you think it means. [ Side note: The term "forward secrecy" is also somewhat problematic, because many people intuitively get a wrong idea about the benefits it provides. It does not mean that previous messages somehow get more secure or unbreakable. If somebody breaks AES or curve25519 then there actually is little benefit in having used a forward secret protocol. ] About the future of this issue: I think we already decided how we want to proceed, so I will try to write a short summary and then we can decide if we want to close this and open a new issue (POST BETA) with a concrete plan of action. |
@schulze all right, do this. The thing is you labeled this issue POST BETA but you stated you write this summary and let the rest be POST BETA, right? |
Our ideas in the past were, that we want to have a not too complicated protocol, that multi-client support is very important for many users, and that most of the data we transmit is long-lived and will be stored on the users devices. Forward secrecy would bring much additional value and only complicate the protocol. I think this still is correct. (See also the thread on the messaging@ starting with http://moderncrypto.org/mail-archive/messaging/2014/001013.html about the design of forward secret multi-device protocols.) It could still make sense to offer a forward secure channel, probably using noise pipes, for e.g. chat applications. I created issue #127 POST BETA for that. |
In the current design we use long-term key-pairs to guarantee confidentiality and integrity. This doesn't provide any forward secrecy, and because of the problems raised in #72, also no forward anonymity.
[See http://en.wikipedia.org/wiki/Forward_secrecy or https://www.imperialviolet.org/2013/12/03/forwardsecretforjournalists.html for details about the concept of "forward secrecy.
Short version: It is the E in the ECDHE of the TLS-ECDHE_RSA_WITH_AES.... cipher-suite I am using with Github right now. It is a Good Thing, but not vital. ]
Changing the encryption-keys in regular intervals, as mentioned in #72, is not enough to implement forward secrecy. We also need to make sure that the old key-material is destroyed, so we first have to make sure that all contacts do have the new key-material.
The text was updated successfully, but these errors were encountered: